Red Hat Bugzilla – Bug 1548345
TLS Deployments don't work in Ocata with Pre-Provisioned Nodes
Last modified: 2018-05-29 07:24:57 EDT
Description of problem: Enabling External TLS with the files: enable-tls.yaml tls-endpoints-public-dns.yaml do not work with RHOSP 11 with Pre-Provisioned Nodes There is no /etc/pki/tls/private/overcloud_enpoint.pem generated There is no calls of the certificates in /etc/haproxy/haproxy.cfg Version-Release number of selected component: RHOSP 11 How reproducible: Standard deployments works. Adding TLS templates do not work. We don't see tripleo::haproxy::service_certificate defined in the hieradata. OS::TripleO::NodeTLSData seems not to work with custom roles Steps to Reproduce: 1. Adding enable-tls.yaml and tls-endpoints-public-dns.yaml to a working configuration 2. Making a fresh new deployment 3. The stack finish with a CREATE_COMPLETE, endpoints are populated with SSL addresses, overcloudrc files are generated with https://CloudName:13000 but nothing is listening on HAProxy because configuration is not done Actual results: No TLS Expected results: Having TLS for external endpoints
Fixed by: https://code.engineering.redhat.com/gerrit/131021 QA testplan: deploy a split-stack overcloud (deployed-server) with overcloud ssl. it should be successful. all test plans should probably be updated to use ssl with the overcloud
This patch on puppet/role.role.j2.yaml done this morning by James Slagle with the support of Steven Hardy and Juan Antonio Osorio Robles fixed the issue on my RHOSP 11 external SSL deployment: https://review.openstack.org/#/c/547249 [root@controller0 ~]# cat /etc/haproxy/haproxy.cfg | grep -c overcloud_endpoint.pem 18 [stack@director ~]$ openssl s_client -connect company.com:13000 CONNECTED(00000003) depth=3 C = COM, O = COMPANY, OU = 0002 552081317, CN = AUTHORITY verify return:1 depth=2 C = COM, O = COMPANY, OU = 0002 444608442, CN = AUTHORITY COMPANY verify return:1 depth=1 C = COM, O = COMPANY, OU = 0002 444608442, CN = AC AUTHORITY verify return:1 depth=0 C = COM, O = COMPANY, OU = 0002 444608442, CN = company.com verify return:1 --- Certificate chain 0 s:/C=COM/O=COMPANY/OU=0002 444608442/CN=company.com i:/C=COM/O=COMPANY/OU=0002 444608442/CN=AUTHORITY COMPANY --- Server certificate -----BEGIN CERTIFICATE----- MIIFeDCCA2... Thanks for this fix and your hard work
Verified on puddle 2018-05-15.2 [stack@undercloud-0 ~]$ rpm -q openstack-tripleo-heat-templates openstack-tripleo-heat-templates-6.2.12-2.el7ost.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2018:1627